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Abstract 

Nominal abstract syntax and higher-order abstract syntax provide 
a means for describing binding structure which is higher-level 
than traditional techniques. These approaches have spawned two 
different communities which have developed along similar lines 
but with subtle differences that make them difficult to relate. The 
nominal abstract syntax community has devices like names, fresh- 
ness, name-abstractions with variable capture, and the I/I -quantifier, 
whereas the higher-order abstract syntax community has devices 
like A-binders, A-conversion, raising, and the V-quantifier. This 
paper aims to unify these communities and provide a concrete cor- 
respondence between their different devices. In particular, we de- 
velop a semantics-preserving translation from aProlog, a nomi- 
nal abstract syntax based logic programming language, to Q~ , a 
higher-order abstract syntax based logic programming language. 
We also discuss higher-order judgments, a common and powerful 
tool for specifications with higher-order abstract syntax, and we 
show how these can be incorporated into Q~ . This establishes Q~ 
as a language with the power of higher-order abstract syntax, the 
fine-grained variable control of nominal specifications, and the de- 
sirable properties of higher-order judgments. 

Categories and Subject Descriptors F.3. 1 [Logics and Meanings 
of Programs]: Specifying and Verifying and Reasoning about Pro- 
grams; F.4. 1 [Logic and Constraint Programming]: Mathematical 
Logic; 1.2.3 [Deduction and Theorem Proving]: Logic Program- 
ming 
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1. Introduction 

Many approaches and languages have been proposed for encod- 
ing logical specifications of systems with binding. One popular ap- 
proach is based on nominal logic which formalizes a notion of a- 
equivalence classes along with related devices |18]. This has led 
to the aProlog language which allows for executing specifications 
based on nominal logic |5]. Another popular approach is based 
on higher-order abstract syntax which uses a weak A-calculus to 
represent binding in object systems ifTsl [TtIi . Formalizing speci- 
fication based on higher-order abstract syntax requires a frame- 
work with devices for manipulating and forming judgments over 
A-terms. The most notable examples of such frameworks are LF 
1 12] and AProlog 1 16] which use higher-order techniques for repre- 
senting both syntax and judgments. 

The success of both the nominal and higher-order approaches 
has lead to questions regarding their relationship and relative merits 
such as naturalness and expressiveness. Higher-order abstract syn- 
tax provides a high-level treatment of binding and is often used with 
higher-order judgments to produce elegant specifications. These 
specifications benefit from a free notion of substitution inherited 
from the specification language and from nice properties which can 
be used when reasoning, e.g., that substitution for free variables 
preserves the validity of judgments. On the other hand, nominal 
approaches require substitution issues to be dealt with manually, 
but allow object variables to be manipulated directly. This results 
in natural specifications when fine-grained control over object vari- 
ables is required. The same naturalness is not found in similar situ- 
ations when using higher-order judgments. This is not a limitation 
of the high-level treatment of binding provided by higher-order ab- 
stract syntax, but rather of the companion notion of higher-order 
judgments. In fact, in this paper we show that higher-order abstract 
syntax in a suitable framework is capable of at least the same nat- 
uralness and expressiveness as nominal logic specifications. We do 
this by developing and proving correct a direct translation from 
aProlog programs to definitions in t/^, a logic with higher-order 
abstract syntax. 

Higher-order judgments play an important role in higher-order 
abstract syntax specifications because of their elegance and nice 
properties. It is disappointing that they are abandoned in order to 
make this connection between nominal and higher-order abstract 
syntax specifications. We show, however, that higher-order judg- 
ments can be encoded in Q" so that their nice features are pre- 
served. Thus C/~ is a language in which the benefits of both nomi- 
nal logic and higher-order judgments can be realized. 

Let us consider an example to demonstrate the already close cor- 
respondence between specifications based on nominal and higher- 
order abstract syntax. The following aProlog program describes 



type checking for A-terms. 

\/G,X,T.[tc{G,var{X),T) :- lookup{X,T,G)] 
VG, E^,E2,T'.[tc{G, app{E^, £2), T') 

3T.tc{G, Ei,arr{T, T')) A tc{G, E2,T)] 
l/lx.VG, E, T, T'.[tc{G, lam{{x)E),arr{T, T')) 

x#G A tc{bind{x, T, G), E, T')] 

The last clause illustrates the specification of binding structure 
and features the nominal 1/1 -quantifier for fresh variable names, 
name-abstraction {x)E for denoting object binding structure, and 
the fresh relation x^G for enforcing a freshness side-condition. 
The same program can be specified in using the following 
definitional clauses. 

VG, X, T.[tc G {var X) T = lookup X T G] 

VG, El, E2, T'.[tc G {app Ei E2) T' ^ 

3T.tc G El {arr T T') AtcG E2 T] 
'VG,E,T,T'.[tcG {lam Xx.Ex) {arrTT') = 

Vx.tc {bind xTG){E x) T'] 

The last clause here features the V-quantifier for fresh variable 
names, a A-binder for denoting object binding structure, and a func- 
tion application {E x) denoting a substitution. In addition, the vari- 
able quantification order in the last clause enforces the freshness 
side-condition: since x is quantified inside the scope of G, no in- 
stantiation for the latter can contain the former. The translation we 
present in this paper actually generates these definitional clauses 
given the original aProlog program. By studying this translation 
and proving it correct, we can pin down the exact relationship be- 
tween the nominal and higher-order devices of these two specifica- 
tions. 

It is important to note that this paper is not an attempt to ar- 
gue that one approach or another is irrelevant. Nominal techniques 
embed nicely in existing theorem provers |20], and higher-order 
techniques enable high-level specification and reasoning Igl fTTIl . In 
addition, this paper does not attempt to relate implementation is- 
sues associated with executing nominal and higher-order abstract 
syntax specifications, such as higher-order, nominal, or equivari- 
ant unification. Such relationships have been investigated in other 
works 131121. 

The paper is organized as follows. We describe aProlog in 
Section [21 Q~ in Section [5] and the translation in Section |4] We 
discuss the relationship with higher-order judgments in Section |5] 
and we conclude in Section|6l 

2. aProlog 

The syntax of aProlog is made up of terms, goals, and program 
clauses which are defined by the following grammars, respectively: 

t,u:--a\X\ f{t) \{ab)-t\ {a)t 

G:--T\ p{t) I a#t I t f« It 

G AG' I G VG' I 3X.G I V\a.G 

D :■- m.\IX.[p{f) :- G] 

For terms, a and b denote names which are used to represent 
object language variables, X denotes a first-order variable, and / 
denotes a function symbol. Constants are encoded as function sym- 
bols which take no arguments. The construct {a b) ■ t denotes a 
swapping of the names a and b within the term t. The construct 
{a)t is called a name-abstraction and is used to represent object 
language bindings. We assume that all terms are well-typed accord- 
ing to a monomorphic typing discipline. We will avoid the details 



{ab) ■ a = b 
{ab) ■ b = a 

{a b) ■ a = a {a a ^ b) 



{a b) ■ f{t) = /((a b) ■ t) 

{ab) ■ {a')t = {{ab) ■ a'){ab) -t 



a^b N "#^1 



1= a#tn 



\= a ^ a 
\= {a)t « {a}u 



\= tl ^ Ul ... 1= « Mn 

N fiP) ^ fin) 

\= a^u \= t ~ {ab) ■ u 
\= {a)t ^ {b)u 



Figure 1. Swapping, freshness, and equality for ground nominal 
terms 



of typing, except to note that aProlog requires names to belong 
to distinguished name types which are not inhabited by any other 
terms. 

Goals are constructed from the usual logical connectives. The 
goal a^t is a. freshness constraint and holds when the name a does 
not occur free relative to name-abstractions in t. The equality goal 
t ~ u denotes a notion of a-convertibility which treats name- 
abstraction as a binder. The goal 1/1 a. G represents a binding for 
the name a in the scope of G. 

We assume a single form for program clauses. While aProlog 
admits richer forms, these are normalizable to the one presented 
here, possibly by inserting freshness constraints. The expression 
p{i) is called the head of the clause. A predicate can appear in the 
head of multiple clauses. A clause is well-formed if it contains no 
free variables or free names. Note that the name a appears free in 
{a)a but not in I/la. G since the former is not a real binder while the 
latter is. We shall consider only well-formed program clauses from 
here onwards. An aProlog program is a set of program clauses. 

We have presented the name-restricted subset of aProlog where 
a and b must be names in {a b) ■ t, {a)t, and a^t. We will focus 
on this subset for most of the paper, but will eventually lift this 
restriction and treat full aProlog. 

An aProlog expression is a term, list of terms, goal, or program 
clause. An expression is ground if it does not contain any free 
variables, though it may contain free names. We define the meaning 
of swapping, freshness, and equality for ground nominal terms as 
shown in Figure[T] We extend the notion of swapping to goals in the 
expected way with (a b) ■ l/la'.G = ]Aa' .{ab) -G where a a' ^ b 
and with (a b) ■ 3X.G — 3X.{a b) ■ G. To make sense of this last 
equation, we define {ab) ■ X = X, though we leave this out of the 
formal definition of swapping since we intend to focus on ground 
terms and goals. We define a permutation tt as a composition of 
zero or more swappings and we write Tr.e to denote the effect of 
applying the swappings in vr to the expression e. 

We assume the standard notions of binding for quantifiers and 
use e[t/X] to denote capture-avoiding substitution of the term t 
for the variable X in the expression e. Similarly we write 6 for a 
simultaneous substitution for zero or more variables and e6 for its 
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Where V\a.'iX.[p(u) G] G A and tt is a permutation and S is a 
substitution for X sucli thiat t ~ n.(u6). 

Figure 2. Proof rules for aProlog 
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V7^, a ^ supp(B) 



Where Vf . [( Vz.p m) = B] £ © and 9 is a substitution for z and af 
such that each is a unique nominal constant, 
supp(f6l) n {z6} = 0, and u6'. 

Figure 4. Proof rules for C/^ 



application to the expression e. Note that name-abstractions are not 
really binders and thus substitution can cause name capture, e.g., 
{{a}X)[a/X] = {a)a. 

We view computation in aProlog as the search for a proof of 
the sequent A G where A is a set of program clauses and 
G is a goal. A sequent is well-formed if G is ground, and we 
shall consider only well-formed sequents from here onwards. Our 
view of aProlog purposefully ignores issues related to an actual 
implementation such as searching for instantiations for existentially 
quantified variables and related issues of unification |6, 22]. 

The proof rules for aProlog are shown in Figure |2] In the EX- 
ISTS rule, t may contain any names and similarly for the substitu- 
tion 9 in BACKCHAIN. In both rules, the substitutions cannot con- 
tain free variables, thereby ensuring that goals remain ground dur- 
ing proof search. In the BACKCHAIN rule we use the relation ~ 
between lists of terms to mean that respective terms in the two list 
satisfy the ~ relation. 

As an example, let A be the set of program clauses for type 
checking given in the introduction and the assumed clauses for the 
lookup predicate. The object term Xz.Xz.z can be assigned the 
type Q ^ /3 — >■ /3 for any types a and /3. The corresponding 
derivation for this is shown in Figure|3] On the other hand, the term 
cannot be assigned the type a — >■ /3 — > q when a is not equal to /3. 
To do so would require the derivation to use the same name for both 
the first and second abstractions in the term. This is disallowed by 
the use of the freshness predicate. 

An important characteristic of aProlog derivations is that they 
are equivariant, i.e., unchanged by permutations of names. This 
property ensures that the particular choice of names used in a 
derivation is immaterial. More formally, one can inductively define 
a notion of applying a permutation to a derivation so that its struc- 
ture and correctness are preserved. Assuming this, we will treat as 
equivalent those derivations which differ only by a permutation of 
names. 

Cheney and Urban 1 6] introduce a Herbrand model based se- 
mantics for nominal logic which we can use to show the relative 
consistency and completeness of our presentation of aProlog. In 
particular, given a set of nominal logic formulas F and a nominal 
logic formula iji, they write T \= (f) to indicate that any Herbrand 
model for all the elements of F is a model of (p. Using this notion, 
we can prove the following. 

Theorem 1. Let A be a set of program clauses and G a ground 
goal. Then A |= G holds if and only if IS. G lias a proof. 



Proof. The forwards direction uses the fact that a least Herbrand 
model exists for A. The backwards direction is by induction on the 
derivation of A G. □ 

3. The Logic 

The logic C/^ is a first-order logic over a higher-order term lan- 
guage where specifications are encoded as fixed-point definitions 
for predicates. This is in contrast to languages like aProlog and 
AProlog which use Horn-like clauses to encode specifications. The 
reason for this departure is that Q~ is actually a subset of a richer 
logic Q which is designed for reasoning f?, Tcf], and within this 
larger setting, mechanisms like case-analysis and induction give a 
different meaning to Horn-like clauses than in pure specification 
logics. Our presentation of differs from that of Q in some re- 
gards, but it is still a proper subset and can be shown to be sound 
relative to Q. 

The syntax of terms in is as follows: 

t,u ::— X \ c \ a\ (tu) \ Xx.t 

Here x denotes a variable, c denotes a constant, and a denotes a 
nominal constant. The term Xx.t denotes a binding for the vari- 
able X in the scope of t, and we assume the corresponding standard 
notations of free and bound variables and capture-avoiding substi- 
tution. The scope of a A is as far to the right as possible. We will 
assume that all terms are in /3r;-long form and that all comparisons 
between terms are relative to the standard rules of A-conversion. 
Application associates to the left and we write p t to abbreviate 
pti ■ ■ ■ tn. We restrict our attention to terms which are well-typed 
relative to a monomorphic typing system. We will avoid the details 
of typing, except to note that Q~ allows nominal constants only at 
pre-designated nominal types which may or may not be inhabited 
by other terms. 

Formulas in Q~ are terms of a distinguished type o. We intro- 
duce the constant T of type o and the infix constants A and V of 
type o — )■ o — > o. For each type r that does not contain o we include 
the equality constant =t of type t ^ t ^ o and the constants 3r 
and Vt of type (r — > o) — >■ o. We place the further restriction 
on Vt that r must be a nominal type. We drop subscripts when 
they can be inferred from the context. We abbreviate the formulas 
3(Xx.t) and \/{Xx.t) as 3x.t and Vx.t, respectively. In summary, 
the formulas of are described by the following grammar. 

B,C -.— T \ pt\t = u\ B AC \ BV C \ 3x.B \ Vz.B 

Here p denotes any additional predicate symbol, i.e., constant of 
type n — 5- . . . — > Tn — > o. 



\= b^bind{a, a, nil) A lookup(b, /3, bind(b, (3, bindia, a, nil))) 

FRESH ■ ■ ■ — BACKCHAIN 



A b^bind(a, a, nil) A tc{bind{b, j3, bind(a, a, nil)),var{b), /3) 

\= a^nil A b^bind{a, a, nil) A tc(bind{b, P, bind{a, a, nil)),var{b), /3) 

L => a^nil A =^ tc{bind{a, a, nil), lam{{a)var(a)) , arr{l3 , /3)) 

A =^ a^nil A tc{bind{a, a, nil), lam{{a)var{a)),arr{l3, [3)) 

— ; --— --— -— ; — — BACKCHAIN 

A tc{nil,lanL[{a)lanrL[{a)var{a))),arr{ot,arr{j3, p))) 

Figure 3. A derivation of tc in aProlog 



We use V to quantify over fresh nominal constants. The treat- 
ment of V in Q~ is based on the so-called nominal V-quantifier 
fT9] rather than the earlier minimal V-quantifier flj- The es- 
sential difference is that the nominal V-quantifier admits ex- 
change, Vi.Vt/.-B = Vy.Vx.B, and weakening and strengthen- 
ing, Vx.B = B if X does not appear in B. We prefer the nominal 
treatment since nominal constants are often used to represent vari- 
able names, and these equivalences match our intuitions about fresh 
variable names. In addition, the nominal treatment often results in 
simplified meta-theory and reasoning. 

We define the support of a term as the nominal constants which 
appear in it: 

supp(a;) — supp(c) = supp(a) — {a} 

supp(f u) — supp(t) U supp(ii) supp(Aa;.t) — supp(t) 

We define the support of a list of terms as the union of their 
supports. 

Specifications are realized inQ^ through fixed-point definitions. 
Fixed-point definitions are given by a set of definitional clauses, 
each of the following form: 

Vx.[(V£pt) = B] 

Here Vz.p t and B must be formulas with empty support and free 
variables only among x. The formula Vz.p t is called the head of 
the clause. A predicate symbol p may appear in the head of multiple 
clauses. The logic is parametrized by a set of definitional 
clauses which we will call T>. 

We view computation mQ~ as the search for a proof of the se- 
quent — > B where i3 is a closed formula which may contain nom- 
inal constants. The proof rules for Q~ are presented in Figure|4] In 
the 3TZ rule we assume f is a closed term which may contain any 
nominal constants and similar for the substitution in the defJZ rule. 
In the defJZ rule we assume a notion of pairwise equality on lists of 
terms. We require the support of x9 to be disjoint from z9 to reflect 
the order of quantifiers in the definitional clause. In the vocabulary 
of Miller et al. [15], the mles ofQ^ allow only uniform proofs and 
thus Q~ is an abstract logic programming language. 

Assuming the definition of tc from the introduction and a suit- 
able definition of lookup, Figure|5]shows that \z.\z.z can be as- 
signed the type a — >■ /3 ^ /3. Note that it is not possible to assign 
the type a — >■ /? ^ a when a is not equal to /? due to side-condition 
on the VTZ rule. 

Derivations 'mQ~ are equivariant with respect to nominal con- 
stants, i.e., the particular nominal constants used in a C/^ deriva- 
tion are irrelevant. Given a permutation of nominal constants, one 
can inductively define a notion of applying that permutation to a 
derivation so that the structure and correctness are preserved. Thus 
we will treat as equivalent those derivations which differ only by a 
permutation of nominal constants. 



defR 
V7^ 



— > lookup b P {bind b (3 {bind a a nil)) 
— > tc {bind b (3 {bind a a nil)) {var b) (3 
— > Vx.tc {bind x j3 {bind a a nil)) {var x) /3 
— > tc {bind a a nil) {lam Xz.var z) {arr (3 (3) 
> Vx.tc {bind x a nil) {lam Xz.var z) {arr (3 (3) 
tc nil {lam Xz.lam Xz.var z) {arr a {arr [3 /?)) 



Figure 5. A derivation of tc in Q 



defR 
V7^ 
defJZ 



4. The Translation 

Looking at the rules for aProlog and we can already see a 
strong similarity. In large part, this is because we have developed a 
view of aProlog free from implementation details and have carved 
out from the richer logic of Q. We have, however, remained 
faithful to both languages. 

One might expect a very simple translation from aProlog to 
Q~ which maps 1/1 to V, ~ to —, names to nominal constants, and 
name-abstraction to A-abstraction. This is not far from the truth, 
but there is an important nuance concerning the treatment of ab- 
stractions in the two systems. In essence, the name-abstraction of 
aProlog allows names to be captured during substitution while 
the A-abstraction requires capture-avoiding substitution. For ex- 
ample, consider the aProlog goal \Aa.3X.{{a)X ~ {b)b). This 
goal is provable using NEW and EXISTS with X as a thus yielding 
{a)a ~ (6)6 which is true. Now, a naive and incorrect translation of 
the original goal into might produce \7a.3X.{Xa.X — Xb.b). 
Notice that the two occurrences of a in this goal represent distinct 
binders and thus the goal is equivalent to \/y.3X.{Xz.X — Xb.b). 
This formula is not provable in CJ^ since capture-avoiding substitu- 
tion does not allow any value for X to be captured by the binder for 
z. Instead, we need a translation which makes the possible variable 
captures in aProlog explicit. For instance, the original goal may be 
translated to essentially 3X.{Xa.X a = Xb.b) which has the so- 
lution X — Xz.z. In this formula, the variable X has been raised 
over a to indicate its possible dependence on it. This is a standard 
technique which is used in relating nominal and higher-order term 
languages |22]. In the actual translation we will use raising to en- 
code all such dependencies. 

The translation from aProlog loQ^ is presented in Figure[6]and 
makes use of some new notation which we define now. 

In the translation for terms, we map names to nominal constants, 
and for simplicity we overload notation to use the same names for 
both. We use the same overloading for bound variables and function 
symbols. We abuse notation in our translation to allow bound vari- 
ables in aProlog to be raised over nominal constants. This is just 
an intermediate form which is translated to a CJ^ bound variable 



4>{a) = a, 



4>{Xa) = Xa <l){{ah)-t) = {ah)-(t){t) 



4's{pt) = Va.p (f>{t) 

0a (T) = T 

(pa ia#t) = Va.fresh (j){a) (t){t) 
Pa (tK^u) = ya.{(t>{t) ^(Piu)) 



0s(GlAG2)=0a(Gl)A0s(G2) 

0s(GiVG2) = 0s(Gi)V0a(G2) 
cPsi^X.G) = 3X.cPs{G[Xa/X]) 
<?!.s(l/16.G) = 03b(G) 



(P (^V\a.yX.[p{t) :- G]j = VJ?.[(Va.p <^(tcr)) = ^slGcr))] where a ^ {X a/X \ X e X} 



Figure 6. Translation from aProlog to Q 



with the same name raised over the same nominal constants. The 
translation for swappings produces a similar operation applied to a 
Q~ term which we represent with the same notation. The meaning 
of a swapping applied to a Q~ term is to replace all occurrences 
of one nominal constant with another and vice- versa. In contrast to 
QfProlog, this operation can be carried out completely even for non- 
ground terms since all variables of the translation are raised over 
the existing nominal constants they may depend on. Thus, swap- 
ping can be carried out on the nominal constants over which vari- 
ables are raised without having to know the eventual value of such 
variables. Lastly, the translation for name-abstractions maps them 
to A-binders. Although nominal constants and bound variables are 
from separate syntactic classes in , we abuse notation here and 
in the future to write a binder for a nominal constant. The meaning 
of Xa.t where a is a nominal constant is Xx.t' where a; is a fresh 
bound variable name and t' is the result of replacing all occurrences 
of a in f with x. 

As indicated in the initial discussion, our translation needs to 
push V-binders underneath 3-binders so that the dependencies can 
be made explicit. This is embodied in our translation for goals 
which is parametrized by a list of names which correspond to 
V-bound variables being pushed down to the atomic formulas. 
The following equivalences describe how the V-quantifier can be 
pushed down in a formula. 

\/x.T = T 
S/x.{B A G) = {\/x.B) A (Vx.C) 
yx.{B V G) = {'sJx.B) V (Vx.G) 
Vx3X.B = ^X.SJx.BlXx/X] 

In the translation for a freshness goal we make use of a distin- 
guished predicate fresh which we assume is defined by the single 
definitional clause 'ix.{\I z. fresh z x) = T . Thus — > fresh a t 
is provable if and only if a is a nominal constant which does not 
appear in t. Lastly, note that we translate the l/l-quantifier to V- 
quantifier by adding the quantified name to the list of eventually 
V-bound variables. 

The translation for program clauses embodies essentially the 
same ideas as for translating goal formulas. The outer 1/1 -quantifiers 
are translated to V-quantifiers that need to be pushed underneath 
the universal quantifiers. This exchange induces the same raising 
substitution as when pushing V-quantifiers underneath existential 
quantifiers. When A is a set of program clauses we define (p{A) = 
{cPiD) \DeA}. 

Note that aside from changing the scope of V-quantifiers, the 
translation essentially preserves term and logic structure. More- 
over, the translation makes the expected connections between 



1/1 and V, ~ and =, names and nominal constants, and name- 
abstraction and A-abstraction. 

4.1 Examples 

We now present a few examples to illustrate the translation and 
also to suggest some simple ways in which the results may be 
improved. In presenting oProlog program clauses we will elide 
outermost 1/1 and V-quantifiers and instead use the convention that 
all free lowercase symbols denote names and all free uppercase 
symbols denote variables, all of which are captured by program 
clause quantifiers. For Q~ definitions we elide the outermost V- 
quantifiers and assume that all capitalized symbols denote such 
universally quantified variables. These examples are taken from 
Cheney and Urban @]. 

4.1.1 Type checking 

Consider again the example from the introduction, where the fol- 
lowing program clauses specify type checking for A-terms. 

tc{G,var{X),T) lookup{X,T, G) 

tc{G,app{EuE2),T') 

3T.tc{G, Ei,arr{T, T')) A tc{G, E-z, T) 
tc{G,lam{{x)E),arr{T,T')) :- 

x#G A tc{bind{x, T, G),E, T') 

Here we assume lookup is defined in the expected way. These 
program clauses translate to the following definitional clauses. 

tc G {var X)T = lookup XTG 

tcG{appEi E2)T' = 

3T.tc G El [arr T T') AtcGEzT 
{Vx.tc (Gx) {lam Xx.Ex) [arr {T x) (T' x))) = 

(Vx.fresh x (Gx)) A 

(Vx.tc {bind x (T x) (G x)) {E x) (T' x)) 

In general, a few simplifications can improve the results of the 
translation. We illustrate these here as applied to the last clause for 
tc. First, by examining types we can recognize that the object types 
T and T' cannot actually depend on the object term variable x and 
thus they do not need to be raised over it. More formally, we can use 
a notion like subordination to detect such vacuous dependencies 
1 23]. Second, the freshness constraint on G can be solved statically: 
we know that G must not depend on its first argument. Finally, 
after performing the previous two simplifications we can recognize 
that the V-quantifier in the head of the definition is vacuous and 
can thus be dropped. In the end we are left with the following 



definitional clause: 

tc G {lam \x.E x) {arr T T') = 

Vx.tc {bind xTG){E x) T' 

The definitional clauses for tc now match what one would expect 
to write in . Indeed, they are exactly specification presented in 
the introduction. 

4.1.2 Polymorphic type generalization 

The following program clauses describe a relationship among a 
polymorphic type, a list of distinct names for the binders in that 
type, and the resulting monomorphic type which comes from sub- 
stituting the names for the binders. 

spec{monoTy{T),nil,T) :— T 

spec{polyTy{{a) P) , cons{a, L),T) : — 

a#L A spec{P, L, T) 

This is translated to the following definitional clauses: 

spec {monoTy T) nil T = T 

{\7a.spec {polyTy Xa.P a) {cons a {La)) {T a)) = 

{Va.fresh a {La)) A {Va.spec {Pa) {La) {T a)) 

In this last clause we can again simplify the freshness condition to 
produce the following. 

(Va.spec {polyTy Xa.P a) {cons a L) {T a)) = 
Va.spec {Pa) L {T a) 

4.1.3 Capture-avoiding substitution 

The following program clauses realize capture avoiding substitu- 
tion for A-terms via a predicate subst{E,T, X, E') which holds 
exactly when E[T/X] = E' . 

subst{var{X),E,X,E) :- T 

subst{var{x),E,y,var{x)) :— T 

subst{app{M, N), E, X, app{M' , N')) :- 

subst{M, E, X, M') A subst{N, E, X, N') 
subst{lam{{y)R), E, X, lam{{y) R')) : — 

y#X A y#E A subst{R, E, X, R!) 

These program clauses translate to the following definitional 
clauses: 

subst {var X) E X E = T 

{Vx, y. subst {var y) {E xy) x {var t/)) — T 

subst {app M N) EX {app Pi' N') = 

subst M EX M' A subst N E X N' 

{Vy. subst {lam Xy.Ry) {Ey) {X y) {lam Xy.R' y)) = 

{Vy.fresh y {X y)) A {Vy.fresh y {Ey)) A 

{Vy. subst {Ry) {Ey) {X y) {R! y)) 

Simplifying the freshness constraints and removing vacuous V- 
binders in the last clause produces the following. 

subst {lam Xy.Ry) E X {lam Xy.R' y) = 

Vy. subst {Ry) E X {R' y) 

4.2 Correctness 

The soundness and completeness of our translation are shown by 
the following results. We elide most details, but show the important 
lemmas and interesting cases. 



Lemma 2. Let a be a name and t a ground aProlog term. Then 
\= a^t holds if and only if — > fresh 4>{o-) has a proof in Q~ . 

Proof. Induction on t. □ 

Lemma 3. Let t and u be ground aProlog terms. Then \= t ^ u 
holds if and only if<j){t) — 4>{u). 

Proof. Induction on t. □ 

We define the support of an aProlog term as the set of all names 
which appear free relative to name-abstractions, i.e., supp(t) = 
{a I does not hold}. This is consistent with the definition 
of support for terms since <j!>(supp(t)) = supp((^(t)). For a 
substitution 6 we define cj>{6) — {(j){t) / (j){x) \ t/x £ 9} and 
supp(6l) = Ut/xeesupp(t). 

Lemma 4. Let t be an aProlog term and 6 a substitution, then 

m) = mm- 

Proof. Induction on t. □ 

Lemma 5. Let G be an aProlog goal, 9 a substitution, and a 
a list of names such that supp(0) PI {a} = 0, then (j>s{G9) — 

't>a{G)m)- 

Proof. Induction on G. Consider when G — b^t. Then (l)s{G9) — 
Va.fresh <l){b9) <l>{t9) = Vd.{fresh <j){b) <l>{t))(t>{9). Since 
supp(^) n {a} = 0, we can move the substitution outside of the V- 
binder to obtain {Va. {fresh (f>{b) (f>{t)))(t>{9) = 4>s{G)m)- □ 

Theorem 6. Let A be a set of program clauses, G a ground goal, 
and a a list of distinct names. There is a proof of A G if and 
only if there is a proof of — > (f)a{G) assuming the definitional 
clauses 4>{A) and the clause for fresh. 

Proof. In the forwards direction, the proof is by induction on the 
height of the aProlog proof. First consider when the proof ends 
with FRESH so that G = Then it must be that \= b#t which 
means — >■ fresh (j>{b) (j>{t) has a proof. Thus — >■ (j)s{G) which 
is — )■ \7a. fresh <j){b) (j>{t) also has a proof. The cases for TRUE, 
EQUAL, AND, and OR are similarly easy. 

Suppose the proof ends with EXISTS so that G = 3X.G' 
and A G'\t/X] has a proof for some t. By induction we 

know — V <j)s{G' [t / X]) has a proof. We would like to move the 
substitution outside of (j>, but we cannot do so unless the support 
of the substitution is disjoint from a. Abusing notation, we do 
this by splitting the substitution into two parts. That is, we know 
— > (l>a{G'[X a/ X][Xa.t/ X]) has a proof. Now the a are not 
free in the second substitution and thus we can apply Lemma [5] 
to conclude that — > (j)s{G'[X a/ X])[Xa.(j){t) / (j){X)] hasaproof 
Thus — > 3X.(l)s{G'[X a/X]) has a proof and this is the same as 
— 5- (t>a{^X.G'). The case for BACKCHAIN is similar in spirit, but 
more complex in the details. 

Lastly, suppose the proof ends with NEW so that G — 1/16. G' 
and A => G' has a proof. By induction — > 4>ab{G') also has a 
proof which is the same as — > (j!)a(l/16.G'). 

In the backwards direction, the proof is by induction on the 
height of the proof with a nested induction on the size of G. 
Consider first when G is i ~ it. We assume — y (t>a{t ~ u) has 
a proof which means that — > Va.(l){t) — (t){u) has a proof and 
thus — > <p{t) = also does. Therefore \= t ^ uis true and 
A t ~ u has a proof. The cases for when G is T, a freshness 
relation, a conjunction, or a disjunction are similarly easy. 

Suppose G = 3X.G' so that — > MG'i^ S/X])[t/X] has a 
proof for some t. It must be that t = Xa.<j){u) for some u. Since the 
support of the outer substitution is disjoint from a we can move it 



inside to know — y <j}s{G'[X a/ X] [Xa.u/ X] ) has the same proof 
and this is just — > cpsiG [u/X]). By induction A => G'[u/X] 
has a proof and thus A => 3X.G' has a proof. Again, the case for 
when G is a predicate is similar in spirit, but more complex in the 
details. 

Finally suppose G — 1/16. G' so that — s- cj>si,{G') has a proof 
By the inner induction hypothesis, A G' has a proof and thus 
sodoes A ^ l/lfe.G'. □ 

4.3 Extending the translation 

We now drop the name-restriction on oProlog and allow a and b to 
be arbitrary terms in expressions of the form a^t, (a b) -t, and {a)t. 
The translation is easily extended to this richer language. Goals of 
the form u^t translate to fresh u t as before. Terms which do 
not satisfy the name-restriction are first simplified so that all non- 
name-restricted swappings and name-abstractions appear at the top 
level of an equality goal. Then these translate to distinguished 
predicates which implement swapping and name-abstraction. This 
simplification is only needed statically since instantiations during 
proof search can only contain ground terms, thus ensuring that non- 
name-restricted terms do not appear dynamically. 

To simplify a non-name-restricted term of the form (mi U2) ■ t 
or {u)t we replace it with a fresh variable, say t' , conjoin the 
distinguished goal t' « (mi U2) ■ t or t' k, {u)t respectively, and 
quantify t' appropriately (existentially when replacing terms in the 
body, universally when replacing terms in the head of a program 
clause). This forces all terms to be name-restricted except the top 
level of terms occurring on the right side of the ?a relation. We 
extend the translation to deal with this relation as follows: 

4'si't' ^ (ui U2) ■ t) = \7a.swap ui U2 1 1' 

4>a{t' ^ {u)t) = \7a.abst utt' 

Where swap and abst are defined by the following: 

'iE.[{Vx,y.swapxy (Exy) {Eyx)) = T] 
yE.[{Vx.swapxx (Ex) (Ex)) = T] 
V£'.[(Vx.abstx (Ex) (Xx.Ex) = T] 

In practice it seems that non-name-restricted swappings and 
name-abstractions are exceedingly rare. Still, it is reassuring that 
such detailed manipulations of variables and binding are so suc- 
cinctly described in 

The following lemmas show that our manipulations of formulas 
are sound and that swap and abst correctly capture swapping and 
name-abstraction, and therefore the extended translation can be 
shown to be sound and complete. 

Lemma 7. IftK.u and A[t/a;] => G[t/x\ has a proof then so 
does l\[u/x] G[u/x\. 

Proof. Induction on the height of the proof. □ 

Lemma 8. Let t' and {a b) ■ t be ground nominal terms. Then 
\= t' ^ {a b) ■ t holds if and only if — > swap a b t t' is provable 
in Q~ . 

Proof. Induction on t. □ 

Lemma 9. Let t' and {a)t be ground nominal terms. Then \= t' ~ 
{a)t holds if and only if — s- abst att' is provable in Q~ . 

Proof. Induction on t. □ 



5. Higher-order Judgments 

Higher-order judgments are a common and powerful tool for speci- 
fications using higher-order abstract syntax. Among other things, 
they have nice properties which are often used when reasoning 
about such specifications. These properties do not directly hold for 
Q~ specifications, so one may question if we have to give them up 
in any system which admits translations from nominal logic spec- 
ifications. This is not the case: higher-order judgments can be en- 
coded in C/~ while keeping their nice properties. Although this does 
not provide a direct connection between nominal logic specifica- 
tions and higher-order judgments, it does show how the expressive- 
ness and benefits of both approaches can coexist. 

Our translation produces specifications using weak higher-order 
abstract syntax, i.e., using abstractions only at distinguished vari- 
able types. With higher-order judgments it is much more common 
to use full higher-order abstract syntax, i.e., where abstraction is 
used at the same type as the terms being constructed. For example, 
A-terms would be represented using only the following two con- 
stants. 

app : tm — )■ tm — s- tm lam : (tm — )■ tm) tm 

This representation provides a free notion of capture-avoiding sub- 
stitution based on meta-level /3-reduction whereas a weak higher- 
order abstract syntax encoding would provide only variable for 
variable substitution. The following example defines evaluation for 
A-terms using the free notion of capture-avoiding substitution. 

eval {lam Xx.Rx) {lam Xx.Rx) = T 
eval {app M N) V = 

3R.eval M {lam Xx.Rx) A eval {RN) V 

With full higher-order abstract syntax, we can still distinguish vari- 
ables from other terms by using a definition such as {Vx.name x) = 
T which holds only on nominal constants. For example, the speci- 
fication of type checking for A-terms represented using full higher- 
order abstract syntax can be written as follows: 

tcGXT = name X A lookup XTG 
tcG{appEi E2)T' = 

3T.tc G El {arr T T') McG E2T 
tc G {lam Xx.E x) {arr TT') = 

Vx.tc {bind xTG) {Ex) T' 

Thus mQ~ we have the same naturalness and expressiveness with 
full higher-order abstract syntax as with the weaker version. 

Moving to higher-order judgments, the specification for type 
checking A-terms can be written as follows in AProlog I I61I : 

tc {app M N) B :- {tc M {arr AB) AtcN A) 

tc {lam Xx.Rx) {arr A B) :- {Vx.tc x A ^ tc {Rx) B) 

Here tc does not carry around an explicit typing context. Instead, 
the context in AProlog is used to remember typing assignments 
for bound variables: the V-quantifier encodes fresh variable names 
and the ^ connective encodes hypothetical assumptions. Besides 
elegance, the real benefit of this encoding is that the underlying 
logic enjoys meta-theoretic properties such as cut-admissibility and 
the preservation of provability under instantiations for universal 
variables. As a result, if one wants to reason about this specification 
they obtain a free object-level substitution result for tc which says, 
roughly, if tc {lam Xx.Rx) {arr A B) and tc N A are both 
derivable, then tc {RN) B is also derivable. Such substitution 
lemmas are quite common and useful, for example, in showing that 
evaluation preserves typing. 



Higher-order judgments do not allow one to directly distin- 
guish between free variables, and this can result in awkward spec- 
ifications in some instances. For example, the following aProlog 
clauses specify a notion of inequality over A-terms: 

aneq {var a) (var 6) :— T 

aneq (app Mi Ni) {app M2 N2) :~ aneq Mi M2 
aneq {app Mi Ni) {app M2 N2) :— aneq Ni N2 
aneq {lam {a)Ri) {lam {a)R2) :— aneq Ri R2 
aneq {var X) {app M N) :— T 

There is no equally natural way to express this with higher-order 
judgments due to the need to distinguish between variables in the 
first clause (see |6] for an example encoding in AProlog). In fact, 
the ability to distinguish between variables is fundamentally at odds 
with the idea of a free substitution property for variables since such 
substitutions may cause two different variables to be instantiated 
to the same term. Thus, higher-order judgments necessarily lack a 
degree of naturalness for some specifications. 

It is important to note that in a dependently-typed system like 
LF higher-order abstract syntax and higher-order judgments col- 
lapse into a single notion 1 12]. While this provides for a very el- 
egant system, we should not let it confuse us between these two 
notions. As our translation has shown, higher-order abstract syntax 
allows for specifications that are at least as natural and expressive 
as what is possible in aProlog, while higher-order judgments may 
occasionally fall short. 

We now propose a specification methodology which allows one 
to use the full natural expressiveness of definitions in Q~ while 
still being able to take advantage of higher-order judgments so 
that we can benefit from their elegance and associated properties 
when reasoning. The idea is to encode an interpreter for higher- 
order judgments as a definition in Q~ and use this to encode 
particular higher-order judgment specifications. In the full logic Q 
which is used for reasoning, one can prove general instantiation 
and cut-admissibility properties for the encoding of higher-order 
judgments. These properties are then inherited for free by any 
specification written using higher-order judgments. 

For simplicity of presentation we consider only the second- 
order fragment of AProlog. It is possible to encode full higher-order 
AProlog, but second-order is sufficient for the majority of exam- 
ples. The encoding of second-order AProlog into is presented 
in Figure|7] In this encoding :: is an infix constructor for lists, and 
(•) is used to distinguish atomic formulas. Since we are considering 
only second-order AProlog, we assume A is atomic in A B. The 
formula seq L G will hold when the AProlog formula G is provable 
from the atomic assumptions in L and the clauses of our particu- 
lar specification. These latter clauses are encoded via the predicate 
prog which holds on the head and body of each encoded clause. 
For example, the clauses for the tc predicate are encoded into the 
following prog clauses: 

prog {tc {app M N) B) 

{{tc M {arr A B)) A {tc N A)) = T 

prog {tc {lam \x.Rx) {arr A B)) 

{\lx.tex A ^ {tc {Rx) B)) = T 

The seq encoding of second-order AProlog retains the desirable 
properties of the logic which we formally state below. Moreover, 
these properties can be proven completely within the full logic Q. 

Lemma 10 (Instantiation). Let c be a nominal constant and t a 
term of the same type. If — 5- seq L G then — > seq L[t/c] G[t/c]. 



member B {B :: L) = T 

member B (C :: L) = member B L 

seq L T = T 

seq L {B AC) = seqL B AseqLC 
seq L {B y C) = seq L B y seq L C 
seqL{A ^ B)^ seq {A :: L) B 
seq L {yx.Bx) = Vx.seq L {B x) 
seq L {A) = member A L 
seq L {A) = 3B.prog A B A seq L B 

Figure 7. Second-order AProlog in t/^ 



Lemma 11 (Cut admissibility). // — > seq {A :: L) G and 

— Y seq L {A) then — Y seq L G. 

Lemma 12 (Monotonicity). If — > seq L G and every element of 
L appears in K then then — > seq K G. 

When working with full higher-order abstract syntax. Lem- 
mas [TO] and [TT] are quite powerful and provide the object-level sub- 
stitution lemmas described earlier. Although a definition like seq 
could be encoded in aProlog or a similar language, the correspond- 
ing lemmas would not be as useful because of the weaker notion of 
substitution. 

A fundamental restriction of the proposed method for specifica- 
tion is that while definitions can make use of higher-order judg- 
ments, it is not possible for higher-order judgments to use def- 
initions. This restriction is inherent in our encoding via seq and is 
necessary to preserve the desirable meta-properties of higher-order 
judgments. Note, however, that this is a restriction on "control- 
flow" and not "data-flow" since we may still use higher-order judg- 
ments to specify a value which is then fed into a C/~ specification. 

6. Conclusions and Future Work 

Our translation provides a direct and concrete connection between 
QfProlog and Q~ including a tight mapping from the devices of 
the former to the corresponding devices of the latter. In particu- 
lar, our translation provides an understanding of the relationship 
between the 1/1 and V-quantifiers. When used at distinguished vari- 
able types, the V-quantifier exactly captures the meaning of the 
1/1 -quantifier, at least from the perspective of specification. How- 
ever, the V-quantifier can also be used at types which contain other 
constructors which is essential for full higher-order abstract syntax 
and which is not possible with current understandings of the 1/1- 
quantifier. In addition, using raising and the fresh predicate, the V- 
quantifier can be freely moved up and down in a formula whereas 
the 1/1 -quantifier is always given a large scope since nominal logic 
does not have raising and therefore cannot push the 1/1 -quantifier 
underneath other quantifiers. 

Through our translation we have also shown that higher-order 
abstract syntax specifications can have at least the same naturalness 
and expressiveness as nominal logic specifications. The resulting 
specifications are based on weak higher-order abstract syntax, but 
we have argued that the same qualities can be found with full 
higher-order abstract syntax. Therefore, despite being a very high- 
level approach to binding, higher-order abstract syntax can still 
be used naturally in specifications which demand a fine-grained 
control over variables. 



We have acknowledged the occasional failings of higher-order 
judgments to naturally capture some aspects of specifications in- 
volving binding. We have proposed a method which allows one to 
use higher-order judgments when relevant and a stronger specifi- 
cation language when preferred. This method allows one to benefit 
from the elegance of higher-order judgment during specifications 
and from their associated meta-properties during reasoning. 

Thus we have presented the logic programming language 
which has the power of higher-order abstract syntax, the fine- 
grained variable control of nominal specifications, and the ability 
to capture the desirable properties of higher-order judgments. 

It seems possible to develop a fairly direct reverse translation 
from t/^ to aProlog in the cases where only weak higher-order ab- 
stract syntax is used. We have not pursued this line of work since 
full higher-order abstract syntax is more common and is required 
to reap the complete benefits of using higher-order judgments. To- 
wards this, Gabbay and Cheney have developed a translation from 
FOX^ , a first-order logic with A-terms, full higher-order abstract 
syntax, and the V-quantifier, to a variant of nominal logic with A- 
terms and the 1/1 -quantifier |2, 7]. Their translation makes a simi- 
lar connection between the 1/1- and V-quantifiers as in this paper 
though in the opposite direction. However, the presence of A-terms 
in their nominal logic is unorthodox and it would be interesting to 
see a similar result for a more traditional nominal logic. 

We have ignored issues of executing specifications in our dis- 
cussions, but we consider them briefly now. Most aProlog specifi- 
cations can be efficiently executed |6, 22], while some require an 
expensive operation known as equivariant unification to backchain 
on clauses with 1/1 -quantifiers in the head |4]. It should also be 
possible to efficiently execute Q~ definitions in a similar way, 
with similar issues when unfolding definitional clauses with V- 
quantifiers in the head. The difficulty of this corresponds roughly 
with that of solving equivariant unification problems in aProlog. 
However, specifications in t/^ tend to use V-quantifiers in the head 
of definitions less often than aProlog uses 1/1 -quantifiers in the head 
of clauses since has real A-binders whereas aProlog must use 
1/1 -quantification and name-abstraction to represent a binder. To ef- 
ficiently execute such benign uses of the 1/1 -quantifier in the head 
of clauses, researchers have studied the notion of V\-goal formulas 
0, 121I1 which are essentially those which translate io Q~ defini- 
tions without V-quantifiers in the head of clauses except for the 
distinguished fresh, swap, and abst predicates. 

In the worst case, our translation may produce a quadratic in- 
crease in the size of formulas due to raising. In practice, this does 
not appear be an issue for several reasons. First, most specifications 
mention few object variables per formula and thus the amount of 
raising required is fairly limited. Second, by making dependencies 
explicit via raising we are able to statically solve freshness con- 
straints as shown in the examples. This removes some raising and 
decreases the number of atomic formulas in a definition. Third, we 
are not proposing that specifications in be written as if trans- 
lated from aProlog. Specifications that instead use full higher-order 
abstract syntax and the corresponding notion of substitution in- 
herit free implementation benefits. For example, an implementation 
can lazily apply substitutions which may result in significant per- 
formance improvements. Further research is needed to accurately 
assess the relative efficiency of nominal and higher-order abstract 
syntax specifications. 

The Abella system is a theorem prover for the logic Q and 
supports the proposed method of specification where higher-order 
judgments are mixed with Q definitions. In practice, we have found 
that this hybrid style provides a nice compromise between elegance 
and practicality. The reasoning over such specifications benefits 
from the meta-properties of higher-order judgments as expected 
and from the naturalness of specifications which directly use the 



features of Q. Abella can also execute these specifications, though it 
is not optimized for this. Through the translation given in this paper, 
it is possible to use Abella to execute and reason about aProlog 
specifications. An interesting direction for future work would be 
to assess such capabilities and to possibly develop them explicitly 
within Abella. 

Finally, we note that higher-order judgments are incorporated 
in Q via a definition and not by using the universal quantifier and 
implication of Q. Indeed, the latter devices have a much different 
behavior in Q than in higher-order judgments. In higher- order judg- 
ments, universal quantification denotes a generic quantification and 
implication denotes a fixed assumption. In Q, universal quantifica- 
tion denotes a quantification over each and every possible value and 
implication restricts attention to worlds in which the hypotheses 
are provable. The Bedwyr system is based on a a t7-like logic and 
uses these devices to encode and execute specifications of model- 
checking behavior such as bisimulation for the finite yr-calculus Ijj]. 
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